The Management Center Performs a Cloud Lookup – Cisco Malware and File Policy

The Management Center Performs a Cloud Lookup

If the management center is able to resolve a DNS query, it should be able to connect and register with the Cisco cloud as well. Registration with the cloud allows the management center to perform cloud lookups for malware disposition. This section assumes that you have fixed any connectivity or DNS issues you experienced in the previous section. Here you will download the MSEXE file 7z1900.exe once again. You should notice a different type of event this time.

Figure 16-28 shows two different actions on file events for downloading the same file. Because the management center can communicate with the Cisco clouds, the threat defense returns Malware Cloud Lookup instead of Cloud Lookup Timeout.

Figure 16-28 Successful Malware Cloud Lookup

You can go to the File Events page to find the dispositions of any detected files. The Cisco cloud can return one of the following dispositions for a query:

  • Malware: If Cisco determines that a file is malware
  • Clean: If Cisco finds no malicious pattern on a file
  • Unknown: If Cisco has not assigned a disposition (malware or clean) to a file

Figure 16-29 compares two types of dispositions—unknown and unavailable—for the 7z1900.exe file. Unknown confirms a successful cloud communication with no cloud-assigned category, whereas Unavailable indicates an issue with cloud communication.

Figure 16-29 Malware Disposition—Unknown Versus Unavailable

 

The Threat Defense Blocks Malware

This section shows how to analyze the operations and actions of Secure Firewall on malware. To emulate a malicious file, this chapter leverages an antimalware test file available at the European Institute for Computer Antivirus Research (EICAR) website, the EICAR test file. Cisco does not develop or maintain this test file; however, you can download the latest copy from eicar.org. Alternatively, you can create a test file on your own using a text editor. It consists of the following characters:

X5O!P%@AP[4\PZX54(P^)7CC)7}$EICAR-STANDARD-ANTIVIRUS-TEST-FILE!$H+H*

Figure 16-30 shows the creation of suspicious.exe, an antimalware test file. The example uses Notepad—a text editor for Microsoft Windows—to create the file. The file simply contains the test string. After you copy the string, save the file in the Windows executable (.exe) format.

Figure 16-30 Creating an Antimalware Test File Using a Text Editor

 

To perform an experiment, at first, store the antimalware test file (suspicious.exe) on a web server in your lab network. Then attempt to download the test file to a client computer by using a web browser. The threat defense should block the attempt.

Figure 16-31 demonstrates that the threat defense blocks the client’s multiple attempts to download the suspicious.exe file. The cloud lookup returns a very high threat score for this antimalware test file because the cloud detects the test string within the file and considers it malware.

Figure 16-31 The Threat Defense Blocking a File with a Very High Threat Score

Likewise, if you navigate to the Files Dashboard, the File Disposition widget should show data (see Figure 16-32). There was no data displayed in this widget previously (refer to Figure 16-23).

Figure 16-32 The File Disposition Widget Shows Data

Comments

Leave a Reply

Your email address will not be published. Required fields are marked *